Earlier this week, I had to interview a bunch of applicants for a web developer role. The idea is to filter out those who aren’t really experienced as the job asks for people with at least 6 months of experience.
Anyway, below is the test I gave them. I don’t feel like giving something like it again in the future (it’s pretty crappy IMHO) so I think it would be a good idea to share it instead of just throwing it away.
Determine whether the statements below are true or false. Be prepared to explain your answer.
- A primary key can be composed of multiple columns.
- When you have two tables in a parent-child relationship (i.e. one table has a foreign key referring to the other table) deleting a parent record will delete all child records of that record.
- Escaping special characters is the best way to avoid SQL injection.
- You can undo
UPDATE
andDELETE
changes to the database.- The
VARCHAR
data type can be used to save space when used overCHAR
.- When using an RDBMS, normalization must be done for all tables.
- Indexes speed up database actions.
- Foreign keys are usually indexed.
- Many-to-many relationships are implemented via junction/join tables.
- Some HTML elements have been deprecated in favor of CSS.
- The
<strong>
element can be used interchangeably with the<b>
element.- Under strict XHTML rules,
<br>
is not a valid usage of the line break element.- The
href
attribute of the anchor element only accepts relative and absolute links.- The
image
tag is a block element.- When a form is submitted, the submitted data is derived from only the
input
elements inside theform
.- Multiple elements can have the same
id
attribute.- Web servers serve content at port 443.
- A web server can identify if a client has visited the website before.
POST
is idempotent.- A browser redirect can be initiated by a response with an empty body.
- In JavaScript, the
var
keyword is optional when declaring variables so it can be omitted in all cases.- You must specify a function name when declaring JavaScript functions.
- Ajax will prevent you from performing other actions until the Ajax action is completed.
- You are limited to using XML in Ajax.
- You cannot change the values of a class variable.
- Constructors are instance methods.
- Polymorphism refers to the ability to define functions to have different behaviors depending on the passed arguments.
- High cohesion and loose coupling can improve coding speed.
- You can combine the features of two classes via inheritance.
- Encapsulation is primarily used for security reasons.
Answers below the cut.
—
Any decent web developer would see why I’m not too comfortable with this test: most of the items are trick questions. The fun part here is that I did that not because I want to boost my ego like many complicated/puzzle questions (secretly) do for the interviewers, but because I specifically wanted to test the applicants’ levels using the Dreyfus model.
I don’t need Novices, I needed Advanced Beginners to Competent applicants, thus the “Be prepared to explain your answer“. These questions were designed to be too hard for novices while being too easy for competent developers.
With little luck, Novices can ace this exam. But ask them “Why?” and they’re sure to falter. Ask an Advanced Beginner the same question and they might answer “I tried using it the other way before, it didn’t work”. Ask a Competent developer and you’ll get “Actually the answer can go either way, if you have this or that constraint”. (Ask an Expert and you’ll get something like this.)
Anyway, here are the answers. Scoring is simple: answer like a Competent developer and I’ll give you a pass, answer like a Novice and I’ll fail you.
A primary key can be composed of multiple columns.
TRUE
As many people consider the definition of a Primary Key as a “single column that uniquely identifies rows”, even advanced beginners might consider this false as it violates that “single column” definition.
Unfortunately for them, you can have primary keys that use multiple columns. Typically they’re called Compound Keys.
When you have two tables in a parent-child relationship (i.e. one table has a foreign key referring to the other table) deleting a parent record will delete all child records of that record.
DEPENDS
When you define a foreign key, you can choose to define the referential action to be done upon deletion of the parent record. You can delete the child records, set the foreign key to NULL, or even do no action at all.
Escaping special characters is the best way to avoid SQL injection.
FALSE
While I’m happy to report that most of the applicants knew about SQL injection, none of them were able to answer this correctly. The best solution is to use a parameterized interface as suggested by OWASP:
Preventing injection requires keeping untrusted data separate from commands and queries.
- The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Beware of APIs, such as stored procedures, that appear parameterized, but may still allow injection under the hood.
Escaping special characters is obviously #2.
You can undo UPDATE
and DELETE
changes to the database.
DEPENDS
You can rollback those actions while inside a Transaction, but in most cases, no, you can’t undo them. Hope you made backups.
The VARCHAR
data type can be used to save space when used over CHAR
.
TRUE
Another surprising discovery: not a lot of people are familiar with SQL data types. I assume that they don’t care whether they’re using VARCHAR or CHAR when storing strings.
At any rate, this should be true due to VARCHAR’s variable-width nature as opposed to CHAR’s fixed-width, though not for all cases.
When using an RDBMS, normalization must be done for all tables.
FALSE.
There are cases where denormalization is favored over normalization.
Quick note: when an applicant can properly explain what normalization is in practical terms, you’ve got yourself a Competent developer.
Indexes speed up database actions.
DEPENDS
Indexes can speed up SELECT operations, but they will slow down INSERT, UPDATE, and DELETE operations.
Foreign keys are usually indexed.
TRUE
FKs are usually indexed to speed up child record retrieval. They aren’t required, though.
Many-to-many relationships are implemented via junction/join tables.
TRUE
When people read “join table” they think of SQL JOINs. Too bad what I’m after is Junction Table.
The sad part is that many-to-many is a pretty common entity relationship, even more common than one-to-one.
Some HTML elements have been deprecated in favor of CSS.
TRUE
Many elements were deprecated upon moving to HTML 4 because they deal with appearance and layout. All of them can be easily implemented in CSS.
The <strong>
element can be used interchangeably with the <b>
element.
DEPENDS
If we’re talking about typical browser behavior, yes, both tags turn text into boldface.
But when it comes down to usage, one provides semantics (i.e. meaning) while the other tells the browser how the enclosed text looks like. It would not be unusual for a designer to set the <strong>
tag to make the text italicized, in bold face, and a few pixels larger than normal text.
Under strict XHTML rules, <br>
is not a valid usage of the line break element.
DEPENDS
XHTML requires empty elements to either have an end tag or the start tag must end with />
.
<br>
is still valid as long as it is immediately closed by </br>
. However, it may give uncertain results in user agents.
The href
attribute of the anchor element only accepts relative and absolute links.
Okay so this is a trick question. I didn’t specify if the “link” is a general URI (which would allow mailto:
and javascript:
) or just HTTP URI. I just wanted to know if the applicant knows enough about the anchor tag and links and I think this question did its job well.
The image
tag is a block element.
FALSE
A tricky question, but one that would immediately tell me if the applicant has an idea about block-level and inline elements.
The img
tag is inline (sorry, couldn’t find a good reference. Gecko and Webkit treat it as inline, though), but most designers set its display
option to block.
When a form is submitted, the submitted data is derived from only the input
elements inside the form
.
FALSE
Yet another trick question. I’m checking if the applicant whether he/she has tried putting input
elements outside the form
since it’s a sign of being an Advanced Beginner.
Anyway, this is false simply because the textarea
and select
elements will also determine the data submitted by the form.
Multiple elements can have the same id
attribute.
DEPENDS
You can define multiple elements with the same id
attribute, but it won’t validate in most HTML validators. It will also screw up your DOM document.getElementById()
calls.
If you find yourself using the same id on multiple elements for styling reasons, it’s a sign to use class
selectors instead.
Web servers serve content at port 443.
DEPENDS
Many web applications will serve content at port 443 for login and other secure transactions because it’s the default HTTPS port. However in most cases, websites use the default HTTP port: port 80.
I am honestly surprised how many web developers aren’t familiar with the concept of port numbers.
A web server can identify if a client has visited the website before.
DEPENDS
Yet another trick question to bait the higher skilled applicants.
A Competent developer would be quick to point out that HTTP is a stateless protocol. That is, servers are supposed to forget about previous HTTP transactions.
But as we all know, web servers can determine if a client has visited before, whether the server level (server logs) or at the application level (cookies, session).
POST
is idempotent.
FALSE
This is the second most difficult question in the test as most developers aren’t fully aware of concepts like HTTP verbs and idempotency.
POST is not idempotent as it produces side effects. This is why sometimes when you refresh a non-responding page, the browser will prompt you whether to submit the data again to prevent you from submitting the data twice, something that might produce unwanted side effects (e.g. getting billed twice).
A browser redirect can be initiated by a response with an empty body.
TRUE
A Competent web developer should be aware of the Request-Response cycle in HTTP and should have implemented a browser redirect at least once in his/her career. Typically this would be done via HTTP status code 302 with an empty response body, as the target location is defined in the Location
response header.
In JavaScript, the var
keyword is optional when declaring variables so it can be omitted in all cases.
FALSE
All JavaScript variables not declared using var
are considered global variables. And we don’t want a crapload of global variables running around the place, right?
You must specify a function name when declaring JavaScript functions.
FALSE
JavaScript is a functional language. It supports declaring functions without function names.
jQuery developers would be familiar with this fact due to the frequent use of closures in the said framework.
Ajax will prevent you from performing other actions until the Ajax action is completed.
FALSE
Ajax, as the original name implies (Asynchronous JavaScript and XML), is asynchronous. There are ways to make it behave synchronously, though.
You are limited to using XML in Ajax.
FALSE
Even though the name implies that you should use XML in Ajax, most current implementations don’t use XML due to its bloated nature. For example, Facebook uses JSON in their Graph API.
You cannot change the values of a class variable.
FALSE
Class variables are just like any variables, they can be modified unless declared as constant.
Of course, I still had to make the applicant explain what class variables and instance variables are to check their overall skill level.
Constructors are instance methods.
TRUE
Constructors act upon instances of the class, and as such, can be considered as instance methods.
What I’d love to see is for someone to argue that they are class methods. Knowing the difference between instance and class methods can turn an Advanced Beginner to a Competent developer in my book.
Polymorphism refers to the ability to define functions to have different behaviors depending on the passed arguments.
FALSE
The one described above is function overloading. Polymorphism is a different concept altogether.
It’s another trick question, as most Novices would not know the difference between the two (or even know how to properly use polymorphism).
High cohesion and loose coupling can improve coding speed.
DEPENDS
Arguably the most difficult question in the test. Only Competent developers would take time to study enough material on OOP to be familiar with cohesion and coupling.
Anyway, the answer depends on the definition of “coding speed”. If it talks about coding from scratch, high cohesion and loose coupling would slow down coding as it requires the generation of more classes than would the opposite approach. If it talks about overall coding time, which includes addition of new features and maintenance, then yes, it will improve coding speed due to the isolation of changes preventing more bugs from creeping into the system.
You can combine the features of two classes via inheritance.
DEPENDS
Technically, inheritance can combine the features from a parent class with the features of the new subclass.
But if you have two different classes that you need to combine, say a Car
class and a Person
class, it would not be good to let the Person
class inherit the Car
class as it would violate the Liskov substitution principle. In those cases, it’s better to use aggregation instead of inheritance.
Encapsulation is primarily used for security reasons.
DEBATABLE
While it is true that hiding the internals of a class is one of the reasons why encapsulation is used (e.g. preventing other classes from messing with variables that might screw up the application), one could argue that, on a larger scale, encapsulation’s enforcement of contracts between objects is more important.
—
And there you have it, 30 questions with no definite answers. Don’t even bother using this as a reviewer when applying for a job in a local IT company; I’ll bet 99% of companies won’t even bother with this type of (hard-to-check) exam.
learned a lot :) nice post :)
Nice set of questions and I would like add more answer
You can undo UPDATE and DELETE changes to the database.
That’s why when running any adhoc CRUD queries in prod db, it’s always a practice to always enclose all queries in transaction (BEGIN) and only
execute the COMMIT after it yielded the expected result/s.
Escaping special characters is the best way to avoid SQL injection.
the best way to avoid sql injection is to never to allow applications to connect using admin account, never return sql server error messages to the user and as you’ve said to use a parameterized query.
When using an RDBMS, normalization must be done for all tables.
For OLTP normalized is prefered
while for OLAP it’s the other way around. But i must
admit sometmes a fully normalized table like > 3NF really takes
SQL skills to CRUD/Select.
Under strict XHTML rules, is not a valid usage of the line break element.
I just use
Web servers serve content at port 443.
Depends, if it’s an internet facing webserver
http 80 and https 443, but for internal/intranet use,
it can be on any valid unused port the user wishes.
High cohesion and loose coupling can improve coding speed.
Since I consider myself as a connected systems developer I’m always in favor of a building solutions in a loosely-coupled way. For me separation of concerns/n-tier approach is the way to go.
I would add:
1. How do you handle cross-cutting concerns like errorhandling, logging and security?
2. What’s the difference between SOAP and REST? and when to use it
3. What is deadlock? How would you avoid them?
Neither of the first two are foolproof, unlike using paremterized APIs. A non-admin account will still have DELETE and SELECT rights, while not returning server error messages will still allow for the malicious action to be executed.
That’s pretty much the answer above, though I personally would flunk a guy who believes that going beyond 3NF should done to databases. It’s just not practical.
When you need to build a quick script or throw-away tool, forcing things to strictly adhere to OOP concepts is pretty much the wrong way to go.
The only good question here is the deadlock question.
For the first question, the only answer I’d accept would be “Let the framework handle it.” Any other answer would tip me that the applicant is a complicator.
As for the second question, it’s about as bad as the idempotent and coupling question. I’ve met a lot of devs in my career and the only people who know about REST are the really hardcore web devs and the Rails guys. Even in my old CMMI level 5 company, I think only 1 or 2 guys there know about REST.
It was fun answering this! Glad to know I’ve learned a lot from our previous company! :p Hehe.
Tricky questions indeed.
“Escaping special characters is the best way to avoid SQL injection. – FALSE.. The best solution is to use a parameterized interface as suggested by OWASP”
Never knew about this one, I thought escaping special characters is enough. Got to research about this one. Thanks :)
“Polymorphism refers to the ability to define functions to have different behaviors depending on the passed arguments.”
In my opinion, it is generally TRUE.
During college, my professor told me that function overloading is polymorphism. Of course I disagreed. Everyone disagreed. But it turns out that function overloading is also a type of polymorphism. And what almost all of us are referring when we say POLYMORPHISM is actually Subtype Polymorphism.
In my experience, 95% of applicants don’t even know either subtype polymorphism and function overloading. Given that, I would expect that anyone who would say “true” to that answer is most likely guessing.
But if the applicant really knows what real polymorphism is, for example, she could explain that Barbara Liskov’s oft misquoted
may mention “subtypes” but doesn’t imply that inheritance is required (it can be done via encapsulation – ad-hoc polymorphism). In that case, I’d may have to stop the interview and march towards the HR and ask why the hell do I even have to interview a person that could interview me?